Latest bugzilla version for the 3.4 branch (3.4.13) is in epel-testing and should address your concern. It could have been pushed to stable earlier if it had received some karma. Please give it a try and leave a comment. 
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-5388/bugzilla-3.4.13-1.el6

"Note that once we release the final Bugzilla 4.2, the 3.4.x series will reach End Of Life . This means that it won't get any new security fixes, leaving these installations vulnerable to these exploits. Installations still running 3.4.x or older are strongly encouraged to upgrade to 4.0.x or 4.2rc1.Well,as official notes says " 
 
 
Well,when will you push 4.x into EPEL?

This is very unlikely to happen, as this is against the EPEL update policy (no incompatible upgrades during a release lifespan). See https://fedoraproject.org/wiki/EPEL/GuidelinesAndPolicies

When 3.4 branch will be EOL'ed, which it is not yet, I'll start backporting security fixes into the EL6 package just like I'm backporting to the EOL'ed 3.2 branch into the EL5 package. I'll keep doing that for as long as I can keep up with the backporting work.

So unless someone makes a parallel installable package for 4.0 or 4.2, there will be no bugzilla 4 in EPEL. I have not looked at this, nor do I plan to do in the near future, but I think it should be doable. Feel free to work on this if you think you absolutely need bugzilla 4, I'll be glad to help review the package. Bugzilla 4.0 is already in Fedora 16 (and 3.6 is in F15, fwiw), so there is a base to start from.

Thanks for your patience.Well,what exactly cause that it cant be updated?

Because you need to tweak conf files and run scripts when upgrading from one bugzilla branch to the other and this can't be done safely within an rpm upgrade.

Mnn...Should EPEL keep 3.x after many years????

I'll check release note and see if I can do something about it.
Thanks again!